{"id":1920,"date":"2025-02-13T12:08:45","date_gmt":"2025-02-13T12:08:45","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=1920"},"modified":"2025-02-13T12:08:45","modified_gmt":"2025-02-13T12:08:45","slug":"cisa-fbi-call-software-with-buffer-overflow-issues-unforgivable","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=1920","title":{"rendered":"CISA, FBI call software with buffer overflow issues \u2018unforgivable\u2019"},"content":{"rendered":"<div>\n<div class=\"grid grid--cols-10@md grid--cols-8@lg article-column\">\n<div class=\"col-12 col-10@md col-6@lg col-start-3@lg\">\n<div class=\"article-column__content\">\n<div class=\"container\"><\/div>\n<p>FBI and CISA have issued a joint advisory to warn software developers against building codes with Buffer Overflow vulnerabilities in them, calling them \u201cunforgivable\u201d mistakes.<\/p>\n<p>Tagging the advisory as part of their ongoing \u201c<a href=\"https:\/\/www.csoonline.com\/article\/3599118\/oktas-secure-by-design-pledge-suffers-a-buggy-setback.html\">Secure by Design<\/a>\u201d efforts, the authorities said these vulnerabilities are prevalent in software, including vendors like Microsoft, VMware, and Ivanti, that lead to full system compromise.<\/p>\n<p>\u201cCISA and FBI maintain that the use of unsafe software development practices that allow the persistence of buffer overflow vulnerabilities \u2014 especially the use of memory-unsafe programming languages \u2014 poses unacceptable risk to our national and economic security,\u201d the authorities said.<\/p>\n<p>Buffer overflow defect is a memory safety vulnerability that stems from a program reading or writing memory beyond allocated boundaries by failing to initialize memory properly.<\/p>\n<h2 class=\"wp-block-heading\"><a><\/a>Buffer Overflow bugs are unforgivable<\/h2>\n<p>\u201cThe CISA and FBI recognize that memory safety vulnerabilities encompass a wide range of issues \u2014 many of which require significant time and effort to properly resolve,\u201d the<a href=\"https:\/\/www.cisa.gov\/resources-tools\/resources\/secure-design-alert-eliminating-buffer-overflow-vulnerabilities\"> advisory<\/a> added. \u201cWhile all types of memory safety vulnerabilities can be prevented by using memory safe languages during development, other mitigations may only address certain types of memory safety vulnerabilities.\u201d<\/p>\n<p>The advisory pointed out that buffer overflow flaws are well-understood vulnerabilities and are easily avoidable by using memory-safe languages. It also listed additional techniques to help fix these issues.<\/p>\n<p>Despite \u201cwell-documented\u201d fixes, buffer overflow vulnerabilities are quite prevalent, CISA pointed out. \u201cFor these reasons \u2014 as well as the damage exploitation of these defects can cause \u2014 CISA, FBI, and others[<a href=\"https:\/\/www.cisa.gov\/resources-tools\/resources\/secure-design-alert-eliminating-buffer-overflow-vulnerabilities#_ednref1\">1<\/a>] designate buffer overflow vulnerabilities as unforgivable defects.\u201d<\/p>\n<p>Manufacturers are asked to refer to the methods outlined in the alert<a href=\"https:\/\/www.cisa.gov\/sites\/default\/files\/2025-02\/secure-by-design-alert-eliminating-buffer-overflow-vulnerabilities-508c.pdf\"> PDF<\/a> issued with the advisory to prevent and mitigate buffer overflow defects, and software users are advised to<a href=\"https:\/\/www.cisa.gov\/resources-tools\/resources\/secure-demand-guide\"> demand secure products<\/a> from them that include such preventions.<\/p>\n<h2 class=\"wp-block-heading\"><a><\/a>Microsoft, VMWare, Ivanti flaws called out<\/h2>\n<p>The feds highlighted a list of buffer overflow bugs affecting leading vendors like Microsoft, Ivanti, VMWare, Citrix and RedHat, ranging from high to critical severity, and some already having in-the-wild exploits.<\/p>\n<p>The list included two Microsoft flaws that could allow \u2014 local attackers in container-based environments to gain system privileges (<a href=\"https:\/\/www.csoonline.com\/article\/3822488\/february-patch-tuesday-cisos-should-act-now-on-two-actively-exploited-windows-server-vulnerabilities.html\">CVE-2025-21333<\/a>), and privilege escalation on the Windows Common Log File System Driver (CLFS) that could lead to full system access (CVE-2024-49138). The latter was picked up by threat actors for<a href=\"https:\/\/www.tenable.com\/blog\/microsofts-december-2024-patch-tuesday-addresses-70-cves-cve-2024-49138\"> zero-day exploit<\/a> and was assigned a CVSS rating of 7.8\/10.<\/p>\n<p>Most critical in the list is a<a href=\"https:\/\/www.csoonline.com\/article\/3583542\/vmware-patches-security-vulnerability-twice.html\"> VMWare vCentre flaw<\/a> (CVE-2024-38812) that Broadcom had to plug for a second time in months after it<a href=\"https:\/\/support.broadcom.com\/web\/ecx\/support-content-notification\/-\/external\/content\/SecurityAdvisories\/0\/24968\"> admitted<\/a> the first patch did not completely fix the issue. The flaw was a heap overflow issue in an implementation of the DCERPC (distributed computing environment\/ remote procedure call) protocol of the vCenter server.<\/p>\n<p>Another critical flaw (CVSS 9\/10) listed in the advisory is the stack-overflow bug in Ivanti\u2019s Connect Secure (CVE-2025-0282) that the IT software maker fixed in January after it was<a href=\"https:\/\/www.csoonline.com\/article\/3652369\/ivanti-warns-critical-rce-flaw-in-connect-secure-exploited-as-zero-day.html\"> exploited in zero-day attacks<\/a>. While historically dependent on vulnerable coding languages like C, and C++, all these vendors are gradually<a href=\"https:\/\/www.techzine.eu\/news\/devops\/116080\/microsoft-continues-push-to-switch-code-over-to-rust\/\"> moving towards memory-safe languages<\/a> like Rust, Go, Swift, and Python.<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"<p>FBI and CISA have issued a joint advisory to warn software developers against building codes with Buffer Overflow vulnerabilities in them, calling them \u201cunforgivable\u201d mistakes. Tagging the advisory as part of their ongoing \u201cSecure by Design\u201d efforts, the authorities said these vulnerabilities are prevalent in software, including vendors like Microsoft, VMware, and Ivanti, that lead [&hellip;]<\/p>\n","protected":false},"author":0,"featured_media":1921,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-1920","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/1920"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=1920"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/1920\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/1921"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=1920"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=1920"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=1920"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}